The Now Platform® Washington DC release is live. Watch now!
on 06-17-2021 11:26 PM
Microsoft Azure Sentinel and Security Incident Response integration is now available on store!
The much-awaited Microsoft Azure Sentinel and Security Incident Response integration is live on ServiceNow store!
Summary of the integration
The Microsoft Azure Sentinel Incident Ingestion Integration for Security Operations allows you to discover Microsoft Azure Sentinel API incidents that are candidates for security incidents and automate the creation of security incidents and enable automated response actions.
Overview
Key features
This integration includes the following key features:
Supported Platform versions: Quebec and Paris
Link to the app on the store: https://store.servicenow.com/sn_appstore_store.do#!/store/application/2e79ad6cfe4220103a962200674b7b...
Link to product documentation:
High level demo of the integration:
https://www.youtube.com/watch?v=LEWqi98fv3o
Comparing Microsoft Azure Sentinel and Microsoft Graph Security API integrations with SIR
You can view the differences between Microsoft Azure Sentinel and Microsoft Graph Security API integrations and choose the right integration with your Now Platform instance.
Microsoft Azure Sentinel Incident Ingestion integration overview
Microsoft Azure Sentinel is a cloud-based security information event management (SIEM) and security orchestration automated response (SOAR) solution.
The Microsoft Azure Sentinel Incident Ingestion integration allows you to automatically fetch incidents from Azure Sentinel and convert them into security incidents and enable automated response actions.
Microsoft Graph Security API integration overview
The Microsoft Graph Security API is an intermediary service (or broker) that provides a single programmatic interface for connecting multiple security providers (Native to Microsoft as well as ServiceNow Partners).
The Microsoft Graph Security API integration addresses these issues by using the Microsoft Graph Security API to connect with different Microsoft security technologies like Azure Sentinel, Microsoft Defender Advanced Threat Protection, and Azure Advanced Threat Protection.
Alerts from Microsoft Security providers are ingested, and security incidents are automatically created in Security Incident Response.
Comparison between Microsoft Azure Sentinel and Microsoft Graph Security API integrations
Microsoft Azure Sentinel integration |
Microsoft Graph Security API integration |
Ingests Microsoft Azure Sentinel incidents along with entity information (when available) and automates security incident creation in SIR.
|
Ingests alerts from multiple Security providers (including Azure Sentinel) in a standard schema and automates security incident creation in SIR.
|
Supports bi-directional updates which include incident closure, incident status change (New), and synchronising comments.
|
Supports alert updates (alert status change and alert closure) for selected security providers. Note: For more information on the Microsoft Graph Security API supported security providers, view the Microsoft documentation.
|
Use this integration if your scenario includes the following conditions:
|
Use this integration if your scenario includes the following conditions:
|
Alert is an entity in Microsoft Azure Sentinel. You cannot retrieve standalone or specific alerts using the Microsoft Azure Sentinel Management API. You can only retrieve the alert data associated with an incident. |
The Microsoft Azure Sentinel normalised alert data is available. The Microsoft Azure Sentinel alert fields that are mapped internally in Microsoft Graph Security API, and are available in Microsoft Graph Security API, are available for use in this integration.
|
You cannot update alerts in Microsoft Azure Sentinel using this integration.
|
You cannot update alerts in Microsoft Azure Sentinel using this integration.
|
@Hareesh Namavar "Supports bi-directional updates which include incident closure, incident status change (New), and synchronising comments. " Is it really bi-directional as we can't find any option to auto close incidents in SN if they are closed in Sentinel
Hi,
The integration is bi-directional with respect to the use cases that it was built for.
@Hareesh Namava Ok, second question When we Ingest Incidents from Sentinel i cant find any option to get all worknotes on Security incident creation in SIR (from Sentinel) sync is working but only after creation of servicenow incident. Is there any option to pull worknotes from sentinel created before creation of SIR incident ?
Aug store release update of the integration will provide you with the ability to map the Azure Sentinel incident "Comments" entity and its associated fields to SIR fields. Your use case can be accomplished with this update!
Hi, I am not able to find the subscription information. What customer should be subscribed to use the application?
@pratiksha5 Could you clarify what you mean by subscription information? To be able to use the integration, you will need the Security Incident Response application which requires a license/subscription. I believe this Sentinel integration is free to install and use. During the Sentinel integration set up process, a "subscription ID" is required from your Registered Azure app for ServiceNow.
Hello,
I'm new to this module and process. Just wanted to know few things, if anybody can answer these, that would be a great help.
- How can I migrate the existing playbooks present in sentinel to my servicenow SIR? Do I need to do this? Or should I follow the existing playbooks provided by ServiceNow.
- How orchestration coming into picture here? Lets say for a security incident of category phishing email, in the eradication phase I want to find and delete the emails from user mailbox. I see there is a button for search and delete, but how this work in the backend?
- For a use case where I want to block an IP or quarantine an email or deactivate an user account, how these can be achieved? Should I include these capabilities in my playbook or there is other way to do it. What is the best practice or how this is generally done?
- What is the difference between these two modules, Capabilities (Flow) and Capabilities?
Thanks,
Sourin